Added data extension to set defaults, updated help, added README to explain customization

aegilops · aegilops · commit 252c9e9416c9 · 2024-06-19T17:27:17.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-queries
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - ["frameguard"]
+      - ["contentSecurityPolicy"]
diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp b/javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp
@@ -22,14 +22,12 @@
             Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL <a href="https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/">data extensions</a>.
         </p>
 
-        <pre>
-extensions:
-- addsTo:
-    pack: codeql/javascript-all
-    extensible: requiredHelmetSecuritySetting
+        <pre>extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
 data:
-    - name: "frameguard"
-        </pre>
+    - ["frameguard"]</pre>
 
         <p>
             Note: <code>frameguard</code> is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -11,6 +11,8 @@
  *        cwe-1021
  */
 
+import javascript
+import DataFlow
 import semmle.javascript.frameworks.ExpressModules
 
 class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
@@ -22,39 +24,23 @@ class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
 
   ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
 
-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(true) }
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
 
   string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
 
   predicate isImportantSecuritySetting() {
-    this.getName() in ["frameguard", "contentSecurityPolicy"]
-    or
-    // read from data extensions to allow enforcing other settings
+    // read from data extensions to allow enforcing custom settings
+    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
     requiredHelmetSecuritySetting(this.getName())
   }
 }
 
-/*
- * Extend the required Helmet security settings using data extensions.
- * Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
- * For example:
- *
- * extensions:
- *  - addsTo:
- *      pack: codeql/javascript-all
- *      extensible: requiredHelmetSecuritySetting
- *    data:
- *      - name: "frameguard"
- *
- * Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension.
- */
-
 extensible predicate requiredHelmetSecuritySetting(string name);
 
 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
 where
   helmetProperty.isFalse() and
   helmetProperty.isImportantSecuritySetting() and
   helmetProperty.getHelmet() = helmet
-select helmet, "Helmet route handler, called with $@ set to 'false'.", helmetProperty,
+select helmet, "Helmet security middleware, configured with security setting $@ set to 'false', which disables enforcing that feature.", helmetProperty,
   helmetProperty.getName()
diff --git a/javascript/ql/src/Security/CWE-693/README.md b/javascript/ql/src/Security/CWE-693/README.md
@@ -0,0 +1,36 @@
+# Insecure Helmet Configuration - customizations
+
+You can extend the required [Helmet security settings](https://helmetjs.github.io/) using [data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
+
+They are defaulted to just `frameguard` and `contentSecurityPolicy`, but you can add more using this method, to require them not to be set to `false` (which explicitly disables them) in the Helmet configuration.
+
+For example, this YAML model can be used inside a CodeQL model pack to require `frameguard` and `contentSecurityPolicy`:
+
+```yaml
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - ["frameguard"]
+      - ["contentSecurityPolicy"]
+```
+
+Note: Using `frameguard` and `contentSecurityPolicy` is an example: the query already enforces these, so it is not necessary to add it with your own data extension.
+
+A suitable model pack might be:
+
+```yaml
+name: my-org/javascript-helmet-insecure-config-model-pack
+version: 1.0.0
+extensionTargets:
+  codeql/java-all: '*'
+dataExtensions:
+  - models/**/*.yml
+```
+
+## References
+
+- [Helmet security settings](https://helmetjs.github.io/)
+- [Customizing library models for javascript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/)
+- [Creating and working with CodeQL packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)
